Sunday, March 11, 2012

GET and POST method in HTTP and HTTPS Protocol

GET and POST method in HTTP and HTTPS are two most popular methods used to transfer data from client to server using HTTP(Hyper Text Transfer Protocol) protocol. Both GET and POST can be used to send request and receive response but there are significant difference between them. Difference between GET and POST in HTTP or HTTPS is also a popular interview question in JSP and any web programming interview. Since HTML is independent of any web server technology like Java, ASP or PHP and HTTP is core protocol in space of internet, importance of clear understanding of GET and POST method can not be ignored. In this tutorial we will What is GET HTTP Request, What is POST HTTP Request, When to use GET and POST HTTP method and finally some difference between GET and POST method in HTTP protocol.

What is GET HTTP Request in http

HTTP protocol supports several request method you can use while sending request using HTTP or HTTPS protocol. GET is one of them. As the name suggest GET method is to retrieve a page from HTTP Server. You can identify a GET request by looking method attribute on HTTP Request part. If you are using Netbeans IDE for Java web development you can enable HTTP Server monitor which can capture HTTP request and show details of request parameters, headers and other useful information. for GET HTTP request method will be GET for example almost all the URL which is accessible using link are accessed using HTTP Request. One important property of GET request is that any request parameter or query parameter is passed as URL encoded string, appended using "?" character which makes it non secure because whatever information you pass in URL String is visible to everybody. Though GET method has some very interesting and powerful use cases which we will seen in next section : When to use GET HTTP Request?

When to use HTTP GET request

As I said GET method is not secure and hence not a suitable choice for transferring confidential data but GET method is extremely useful for retrieving static content from web server. here are some examples where a using GET method make sense:

1) There is no side effect of repeated request. for example clicking a link which points to another page. it doesn't matter if you click the link twice or thrice , This also gives chance browser of server to catch the response for faster retrieval.

2) You are not passing any sensitive and confidential information. instead you just passing some configuration data or session id.

3) You want URL pointed by HTTP GET request to be bookmark-able.

4) Data requires to be sent to Server is not large and can safely accommodated in maximum length of URL supported by all browser. In general different browser has different character limit for URL length but having it under limit is good choice.

What is POST HTTP method

POST HTTP request is denoted by method: POST in HTTP request. In POST method data is not sent as part of URL string to server instead in POST, data is sent as part of message body. Almost all authentication request is sent via POST method in HTTP world. POST method is secure because data is not visible in URL String and can be safely encrypted using HTTPS for further security. All sensitive and confidential information sent to be server must go on POST request and via HTTPS (HTTP with SSL). POST method is also used for submitting information to server, any information which can alter state of application like adding item into shopping cart, making payments etc. here are some examples where you should consider using POST method in HTTP request:

1) Use POST if you are sending large data which can not be fit into URL in case of GET.

2) Use POST method if you are passing sensitive and confidential information to server e.g. user_id, password, account number etc.

3) Use POST method if you are submitting data which can alter state of application e.g. adding items into cart for passing that cart for payment processing.

4) Use POST if you are writing secure application and don't want to show query parameters in URL.

Difference between GET and POST method in HTTP Protocol

Most of the difference between GET and POST has been already discussed in there respective section. It all depends upon requirement when you want to choose GET and POST and knowledge of these differences help you to make that decision.

7 comments
:

I think one difference between GET and POST in html is enough to describe there basic purpose. GET request is used to retrieve data from Server without changing state of Server while POST request in html is used to send data to server which cause change in Server's state like storing data into Database, Storing XML files etc. Though you have outlined number of differences between GET and POST, which is OK but I think this difference is what differentiate GET with the POST.

Cheng, I could not understand one thing in your point. Even in case of GET, data is being transferred to server though in the form of querystring, so data can still change the state of server (like DB storage). Which is applicable in case of POST as well. So tell me where is the diffenence in terms of point you mentioned??

Surprised to see, no one has mentioned most obvious difference between GET and POST methods, In my opinion GET is to get data from the Server and POST to post (read send) data to the Server. If you don't agree, let me know WHY?

JackTheR i see your point........but i would agree with the author though in security issues and when to use between those to....only thing i disagree is sounds that the author pointed that they are all the same except only when it comes to security and other issues mentioned...he never mentioned about POST which is to read data from server to the client?while GET is to write to the server?

Nice tutorialPOST method is more secure than GETData can be seen in URL when you use GET methodHere is an article about Difference between HTTP and HTTPshttp://geekfellows.blogspot.com/2013/08/what-is-difference-between-http-and.html

I have strong objections to anything in a simple HTTP request ever being called "secure."

The only difference between the visibility of GET and POST data is that it doesn't appear in the URL. It's still completely visible to absolutely everybody who sees the request, including the user (especially with modern browsers like Chrome that have header inspection tools built in), including any malware installed on the user's machine, including anyone on their hub or on an ARP cache poisoned switch, including any points along the route, etc., etc.

Security through obscurity is the exact opposite of security. It creates a false sense of security, leading to complacency, making it even easier for malicious or curious agents to compromise your security.

If you're thinking about security on the web, your very first thought should be TLS (SSL), not GET v. POST.﻿